Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton
Dec 9th 2021
Shared notes panel is vulnerable to XSS when rendering a new note, due to missing username sanitization.
Proof of Concept
- 1.Start a new web conference and share the link with other people
- 2.A malicious user joins the conference with the following username:
- 3.As soon as the malicious user types on the "Shared notes" section (and the victim has the "Shared notes" section open) an alert popup is shown on the target user (in this case showing the
User inputs should be always sanitized against such attacks to prevent attackers injecting malicious code. Is also important to perform output encoding in order to prevent unwanted code execution.
The "fix" has been to switch the fork where we pull a plugin from. This "fix" has been released with versions 2.3.17 and 2.4.0 and I'd rather wait a day or so before confirming it fully resolved. It's not a glorious fix, it's a packaging change.
thank you for the update. I've just verified that the issue has been resolved in the new release and the XSS payload is not triggered anymore. Could you please confirm the report as resolved?